Encrypting device, decrypting device, cryptosystem including the same devices, encrypting method, and decrypting method

ABSTRACT

A cryptosystem includes an encrypting device, a communication path, and a decrypting arithmetic device. Key generation means in the encrypting device generate a public key {g 1 , g 2 } as random numbers respectively including the power of (p−1) and the power of (q−1) and decrypt a message m using the Fermat&#39;s little theorem and the Chinese remainder theorem. This makes it possible to suggest an extremely simple cryptosystem, which is simplified by reducing the amount of computations for encryption and decryption and enables encryption and decryption by simple calculations, while maintaining a security equivalent to the RSA encryption scheme.

[0001] This Nonprovisional application claims priority under 35 U.S.C. § 119(a) on Patent Application No. 16761/2003 filed in Japan on Jan. 24, 2003, and Patent Application No. 13401/2004 filed in Japan on Jan. 21, 2004, the entire contents of which are hereby incorporated by reference.

FIELD OF THE INVENTION

[0002] The present invention relates to an encrypting device for encrypting messages transmitted and received over the Internet or the like, a decrypting device for decrypting encrypted messages, and a cryptosystem including the encrypting device and the decrypting device.

BACKGROUND OF THE INVENTION

[0003] Conventionally, there has been the problem of leakage and tampering of data and others exchanged over the Internet or the like. For the solution to this problem, a cryptosystem of encrypting data and others to transmit it to the receiving end has been adopted.

[0004] The cryptosystem is classified into a common-key cryptosystem and a public-key cryptosystem. The public-key cryptosystem is mainly adopted because of easier key management, lower risk of data leakage, and other reasons.

[0005] The typical example of the public-key cryptosystem is the RSA encryption scheme.

[0006] The RSA encryption scheme is a public-key cryptosystem using as one of public keys a product n=pq, where p and q are prime numbers generated as a substantial private key, and employing the nature of the easiness of finding n from p and q, but the difficulty of finding two prime numbers p and q from n.

[0007] Thus, by publicly revealing n as one of public keys, everyone can generate a ciphertext, but it is very difficult to find two large prime numbers p and q for decryption of the ciphertext. From this point, it can be said that security of data transmitted by the RSA encryption scheme is extremely high.

[0008] However, although the conventional RSA encryption scheme as described above has a high performance in terms of data secrecy and has a simple algorism, its security depends on the difficulty of factoring a product n of two prime numbers p and q. Therefore, it is necessary to use about 200-digit n in the decimal system, and there is the problem that it is very difficult to perform modulo n exponentiation, which are necessary for encryption and decryption processes.

[0009] Moreover, the RSA encryption scheme is of a multiplicative property, which results in a security problem that three signatures can be generated from two signatures.

SUMMARY OF THE INVENTION

[0010] An object of the present invention is to suggest a secret cryptosystem of an extremely simple public key, which simplifies its algorism, while maintaining a security equivalent to the RSA encryption scheme, and to provide an encrypting device which can perform encryption by simple calculations, a decrypting device which can perform decryption by simple calculations, a cryptosystem including the same devices, an encrypting method, and a decrypting method.

[0011] In order to achieve the above object, an encrypting device of the present invention includes:

[0012] key generation means for generating two prime numbers p and q of which product is n=pq as a private key and generating as a public key g₁ and g₂ respectively given by the following Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and

[0013] encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C═(C₁, C₂) respectively given by the following Equations (3) and (4) using the public key {g₁, g₂}, a private key n, and random numbers r1 and r2,

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn),  (2)

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn),  (4)

[0014] where gcd{s, q−1}=1 and gcd{t, p−1}=1.

[0015] According to the above arrangement, keys g₁ and g₂ generated as a public key respectively include the power of (p−1) and the power of (q−1), and the ciphertext elements C₁ and C₂ generated using the public key {g₁, g₂} and the private key n also include the power of (p−1) and the power of (q−1), respectively. This makes it possible to easily decrypt the ciphertext elements C₁ and C₂ using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0016] That is, the encrypting device of the present invention causes the key generation means to generate two large prime numbers p and q as a private key and to generate the public key {g₁, g₂} so as to respectively include the power of (p−1) and the power of (q−1) by using the private key {p, q} and the random numbers s and t.

[0017] This makes it possible to directly use the two large prime numbers p and q as a private key and to compute the public key {g₁, g₂} by very simple calculations including the power of (p−1) using a random number.

[0018] Further, the ciphertext elements generated by the encrypting arithmetic means in the encrypting device of the present invention are given by the equations respectively including the power of (p−1) and the power of (q−1) using the public key {g₁, g₂} and the private key n, so that it is possible to decrypt the ciphertext using the Fermat's little theorem.

[0019] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”. Therefore, it is possible to compute two received ciphertexts corresponding to ciphertext elements C₁ and C₂ from the ciphertext elements C₁ and C₂ using the Fermat's little theorem and to decrypt the plaintext m from the two received ciphertexts using the Chinese remainder theorem.

[0020] In the encrypting device of the present invention, as described above, it is possible to generate the public key {g₁, g₂} and the private key n by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations using the Fermat's little theorem, thus enabling higher-speed processing as compared to the conventional encryption scheme.

[0021] Meanwhile, in terms of security of the encrypting device of the present invention, the public key {g₁, g₂} include random numbers s and t, respectively, so that the public key {g₁, g₂} and the private key n are independent from each other.

[0022] Consequently, according to the encrypting device of the present invention, it is possible to perform encryption and decryption at high speed by reducing the amount of computations while maintaining a high security.

[0023] In order to achieve the above object, another encrypting device of the present invention includes:

[0024] key generation means for generating prime numbers p and q of which product is n=pq, where p is a private key, and generating as a public key g₁ given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and

[0025] encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C given by the following Equation (3)′ using the public key g₁, a private key n, and a random number r,

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

[0026] where when public information b is a size of p (bits), 0<m<2^(b−1) and gcd{s, q−1}=1.

[0027] According to the above arrangement, a key g₁ generated as a public key includes the power of (p−1), and the ciphertext C generated using the public key g₁ also include the power of (p−1). This makes it possible to easily decrypt the ciphertext C using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0028] That is, the encrypting device of the present invention causes the key generation means to generate two large prime numbers p and q as a private key and to generate the public key g₁ so as to include the power of (p−1) by using the private key {p, q} and the random numbers s and t.

[0029] As to the relation between the private key p and the size b, by limiting a length of the message m, and using this size b, it is possible to perform computation for the generation of a ciphertext and computation for decryption each by one equation, thus enabling encryption and decryption processes by simpler calculations without using the Chinese remainder theorem.

[0030] Further, as in the above arrangement, the ciphertext generated by the encrypting arithmetic means in the encrypting device of the present invention is given by the equation including the power of (p−1) using the public key g₁ and the private key n, so that it is possible to use the Fermat's little theorem for decryption of the ciphertext.

[0031] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0032] Therefore, it is possible to generate the public key g₁ by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations only using the Fermat's little theorem, thus enabling further higher-speed processing as compared to the conventional encryption scheme.

[0033] Meanwhile, in terms of security of the encrypting device of the present invention, the public key g₁ includes a random number s, so that the public key g₁ are independent from each other.

[0034] Consequently, according to the encrypting device of the present invention, it is possible to realize high-speed encryption and decryption processes by reducing the amount of computations in such a manner limitations are imposed on the length of the plaintext m while maintaining a high security.

[0035] In order to achieve the above object, in a decrypting device of the present invention, included are decrypting arithmetic means for receiving a ciphertext C=(C₁, C₂), which is an encrypted plaintext m, respectively given by the following Equations (3) and (4) using a public key {g₁, g₂}, a private key n, and random numbers r1 and r2, the private key n being n=pq where p and q are prime numbers generated as a private key, g₁ and g₂ being respectively given by the Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n, and

[0036] performing decryption in such a manner so as to generate received ciphertexts a and b respectively given by the following Equations (5) and (6) using the Fermat's little theorem and then derive the plaintext m satisfying the following Equation (7) from the received ciphertexts a and b using the Chinese remainder theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn),  (2)

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn),  (4)

a=C ₁(modp)=m(modp),  (5)

b=C ₂(modq)=m(modq),  (6)

m=aAq+bBp(modn),  (7)

[0037] where gcd{s, q−1}=1, gcd{t, p−1}=1, Aq (mod p)=1, and Bp (mod q)=1.

[0038] According to the above arrangement, keys g₁ and g₂ generated as a public key respectively include the power of (p−1) and the power of (q−1), and the ciphertext elements C₁ and C₂ generated using the public key {g₁, g₂} and the private key n also include the power of (p−1) and the power of (q−1), respectively. This makes it possible to easily decrypt the ciphertext elements C₁ and C₂ using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0039] That is, the ciphertext received by the decrypting device of the present invention is given by the equations respectively including the power of (p−1) and the power of (q−1) using the public key {g₁, g₂} and the private key n, so that it is possible to decrypt the ciphertext using the Fermat's little theorem.

[0040] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”. Therefore, it is possible to compute two received ciphertexts corresponding to ciphertext elements C₁ and C₂ from the ciphertexts C₁ and C₂ using the Fermat's little theorem and to decrypt the plaintext m from the two received ciphertexts using the Chinese remainder theorem.

[0041] As described above, the decrypting device of the present invention can decrypt a ciphertext easily using the Fermat's little theorem, thus enabling higher-speed decryption, as compared to the conventional decryption scheme.

[0042] Further, in order to achieve the above object, in another decrypting device of the present invention, included are decrypting arithmetic means for receiving a ciphertext C of an inputted plaintext m, given by the following Equation (3)′ using a public key g₁ a private key n, and a random number r, the private key n being n=pq where p and q are prime numbers, p being generated as a private key, g₁ being given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n, and

[0043] performing decryption in such a manner so as to derive the plaintext m satisfying the following Equation (8) using the Fermat's little theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

m=C(modp),  (8)

[0044] where gcd{s, q−1}=1.

[0045] According to the above arrangement, the ciphertext C generated using the public key g₁ includes the power of (p−1). This makes it possible to easily decrypt the ciphertext C using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0046] That is, in the decrypting device of the present invention, as to the relation between the private key p and the size b, by limiting a length of the message m, and using this size b, it is possible to perform computation for the generation of a ciphertext and computation for decryption each by one equation, thus enabling decryption by simpler calculations without using the Chinese remainder theorem.

[0047] Further, the ciphertext decrypted by the decrypting device of the present invention is given by the equation including the power of (p−1) using the public key g₁, so that it is possible to use the Fermat's little theorem for decryption of the ciphertext.

[0048] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0049] Therefore, it is possible to generate the public key g₁ and the private key n by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations only using the Fermat's little theorem, thus enabling further higher-speed processing as compared to the conventional decryption scheme.

[0050] For a fuller understanding of the nature and advantages of the invention, reference should be made to the ensuing detailed description taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0051]FIG. 1 is a block diagram showing a configuration of a cryptosystem of one embodiment of an encrypting device, a decrypting device, a cryptosystem including the same devices, an encrypting method, and a decrypting method of the present invention.

[0052]FIG. 2 is a block diagram showing a brief concept of encryption and decryption processes of the present invention.

[0053]FIG. 3 is a view showing an extended block cipher as an application of the cryptosystem of the present invention.

DESCRIPTION OF THE EMBODIMENTS

[0054] [Embodiment 1]

[0055] The following will describe one embodiment of an encrypting device, a decrypting device, a cryptosystem including the same devices, an encrypting method, and a decrypting method of the present invention with reference to drawings.

[0056] A cryptosystem of the present embodiment performs encryption and decryption of a message (plaintext) m according to a basic concept as shown in FIG. 2.

[0057] That is, as shown in FIG. 2, the message (plaintext) m is multiplied by a random number R using a public key {g₁, g₂} and a private key n to generate a ciphertext mR, and the ciphertext mR is transmitted to a receiving end of the message m. Then, the recipient of the ciphertext mR reduces the random number R to “1” using a private key {p, q} to decrypt the message m.

[0058] The cryptosystem, as shown in FIG. 1, includes an encrypting device (encrypting arithmetic means) 11, a communication path 14, and a decrypting arithmetic device (decrypting arithmetic means) 15.

[0059] Further, the encrypting device 11 includes a key generation section 12 and an encrypting arithmetic device 13.

[0060] The key generating section 12 generates the public key {g₁, g₂} and the private key {p, q} used for encryption and decryption of the message m, respectively. Note that, the generation of the public key {g₁, g₂} and the private key {p, q} will be described in details later.

[0061] The encrypting arithmetic device 13 encrypts an inputted message m using the public key {g₁, g₂} and a private key n to generate ciphertext elements C₁ and C₂, and outputs the generated ciphertext elements C₁ and C₂ to the communication path 14.

[0062] Here, the plaintext m is composed of m₁, m₂, m₃, . . . , and the ciphertext C is composed of the ciphertext element C₁ to which the plaintext element m₁ is encrypted, the ciphertext element C₂ to which the plaintext element m₂ is encrypted, and the subsequent ciphertext elements encrypted in a similar manner.

[0063] The ciphertext element C₁ is composed of the ciphertext elements C₁₁ and C₁₂ respectively using the random numbers R₁ and R₂.

C ₁=(C ₁₁ ,C ₁₂)

C ₁₁ =m ₁ R ₁(modn)

C ₁₂ =m ₁ R ₂(modn)

[0064] The actual procedure for the encryption begins with the generation of the ciphertext element C₁=(C₁₁, C₁₂) to which only the plaintext element m₁, the first element in the plaintext m, is encrypted, and ciphertext elements following the ciphertext element C₁ are generated using the plaintext element m₂ and two random numbers R₁ and R₂.

C ₂ =m ₂ ⊕R _(j)(j=1 or 2)

[0065] Note that, a value of j is determined depending on bit information b₁ of m₁=(b₁, b₂, . . . , b_(k)). Subsequently, C₃, C₄, . . . are generated in a similar manner.

[0066] The decrypting arithmetic device 15 receives the ciphertext elements C₁ and C₂ via the communication path 14 and receives the private key {p, q} from the key generation section 12. Then, the decrypting arithmetic device 15 decrypts the ciphertext elements C₁ and C₂ into the message m and output the message m.

[0067] Thus, the message m is encrypted using the public key {g₁, g₂} and the private key n to transmit it in the form of the ciphertext elements C₁ and C₂, and on the receiving end, the ciphertext elements C₁ and C₂ are decrypted into the message m using the private key {p, q}, thereby preventing the occurrence of problems such as leakage and tampering of the message m in the communication path 14, thus enabling a highly secure communication.

[0068] Here, the following will describe encryption process and decryption process of the message m in the cryptosystem 10 of the present embodiment.

[0069] The following will first describe the generation of the public key {g₁, g₂} by the key generation section 12.

[0070] Let p and q, as private key, be prime numbers of which product is n=pq, g be a maximal generator in the multiplicative group of integers modulo n, and s and t be random numbers which satisfy gcd{s, q−1}=1 and gcd{t, p−1}, respectively. The key generation section 12 generates the public key {g₁, g₂} as random numbers given by the following Equations (1) and (2):

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn).  (2)

[0071] Here, because the Equations (1) and (2) includes random numbers s and t, respectively, the equation n=pq and the Equations (1) and (2) are completely independent. Therefore, in order to derive the private key {p, q} from the public key {g₁, g₂}, it is necessary to derive p and q by factoring “n” which is a product of the two large prime numbers p and q.

[0072] Next, the following will describe the generation of a ciphertext of the message m by the encrypting arithmetic device 13, using the public key {g₁, g₂} given by the Equations (1) and (2), respectively.

[0073] Using the public key {g₁, g₂} and the private key n, a ciphertext C={C₁, C₂} is given by the following equations:

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn),  (4)

[0074] where m is a message (plaintext) (m<n), and r₁ and r₂ are random numbers.

[0075] Since the ciphertext C includes random numbers r₁ and r₂ of the random numbers g₁ and g₂, as given by the Equations (3) and (4), the message m can be transmitted to the receiving end in the form of random numbers.

[0076] Note that, g₁ ^(r1) and g₂ ^(r2) respectively in the Equations (3) and (4) correspond to a random number R in a conceptual diagram shown in FIG. 2.

[0077] The following will describe decryption of the ciphertext elements C₁ and C₂ into the message m by the decrypting arithmetic device 15.

[0078] The decrypting arithmetic device 15 decrypts the ciphertext elements C₁ and C₂ into the message m using the private key {p, q}.

[0079] Here, in the cryptosystem of the present invention, a random number portion including the power of (p−1) can be reduced to “1” using the Fermat's little theorem (a^(p−1)≡1 (mod p)), received ciphertexts a and b are generated as given by the following Equations (5) and (6):

a=C ₁(modp)=m(modp),  (5)

b=C ₂(modq)=m(modq).  (6)

[0080] Here, since the right sides of the Equations (5) and (6) are m>p and m>q, respectively, m(mod p) and m(mod q) are random numbers, and the message m is not completely decrypted.

[0081] In the cryptosystem of the present invention, the message m is decrypted using the Chinese remainder theorem according to the two Equations (5) and (6).

[0082] That is, by using the Chinese remainder theorem, the message m is given by the following Equation (7) according to the Equations (5) and (6):

m=aAq+bBp(modn)  (7)

[0083] where Aq(mod p)=1 and Bp(mod q)=1, so that it is obvious that the message m has been decrypted.

[0084] In the cryptosystem of the present invention, as described above, the public key {g₁, g₂} respectively including the power of (p−1) and the power of (q−1) are generated so that the decryption using the Fermat's little theorem can be performed, and in decrypting, the message m is decrypted using the Fermat's little theorem and the Chinese remainder theorem.

[0085] With this arrangement, an extremely simple cryptosystem can be suggested because the public key {g₁, g₂} can be generated by very simple calculations. Moreover, the two large prime numbers p and q can be directly used as the private key {p, q}. Further, since the message m can be decrypted by simple calculations using the Fermat's little theorem and the Chinese remainder theorem, the amount of necessary computations for encrypting can be less than that of a conventional RSA encryption scheme, thus obtaining a cryptosystem capable of a high-speed processing.

[0086] [Second Embodiment]

[0087] The following will describe another embodiment of an encrypting device, a decrypting device, a cryptosystem including the same devices, an encrypting method, and a decrypting method of the present invention.

[0088] The cryptosystem of the present embodiment, which has the same basic principle as that of the cryptosystem in the Embodiment 1, can make its algorism simpler under the condition that a size b of a private key p is limited in relation to a message m.

[0089] That is, in the cryptosystem of the Embodiment 1 two ciphertext elements C₁ and C₂ are generated for one message m. However, in the cryptosystem of the present embodiment, one ciphertext C is generated by using the size b of the private key p, which is limited so as to satisfy 0<m<2^(b−1), and the message m can be decrypted simply by the ciphertext C. This allows for higher-speed encryption and decryption processes.

[0090] Specifically, an encrypting arithmetic device generates a random number r, and by using the size b of the private key p and the private key p, generates a public key g₁ and a ciphertext C respectively given by the following Equations (1) and (3)′:

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

[0091] where the message m and the size b satisfy 0<m<2^(b−1).

[0092] Then, for the decryption of the ciphertext C, as in the case of the cryptosystem of the Embodiment 1, the decrypting arithmetic device derives the following Equation (8) using the Fermat's little theorem (a^(p−1)≡1 (mod p)):

m=C(modp).  (8)

[0093] Here, since the ciphertext C includes g₁, and g₁ includes the power of (p−1) according to the Equation (1) of g₁ in the Embodiment 1, numbers except for m can be reduced to 1 by calculating modulo p, thus easily decrypting the message m.

[0094] In the cryptosystem of the present embodiment, as described above, the size b of the private key p is limited in relation to the message m. Then, the public key g₁ is generated, one ciphertext C is generated, and this ciphertext C is decrypted by using the private key p. Hence, decryption can be performed easily without using the Chinese remainder theorem, which is used in the Embodiment 1.

[0095] Therefore, it is possible to obtain a cryptosystem capable of a higher-speed processing than the cryptosystem of the Embodiment 1 while maintaining a security equivalent to the cryptosystem of the Embodiment 1.

[0096] Furthermore, the cryptosystem of the above-described present embodiment has the following characteristics.

[0097] The first characteristic is that the cryptosystem of the present embodiment, in which g₁ ^(r1) is included in the Equations (3) and (4) expressing the ciphertext elements C₁ and C₂, adopts so-called probabilistic encryption that one message m is encrypted to different ciphertexts. This is a characteristic resulting from the power of “r” being a random number. In the RSA encryption scheme, the message m corresponds one-to-one with the ciphertext C. However, in the cryptosystem of the present embodiment, the message M does not correspond one-to-one with the ciphertext C, so that it is difficult to break the ciphertext C, thus enabling enhancement in cipher strength.

[0098] The second characteristic is a so-called one-way function that conversion from the message m into the ciphertext C is easy, but conversion from the ciphertext C into the message m is very difficult.

[0099] The third characteristic is that one generated ciphertext C may be derived from different original messages m₀ and m₁ because the message m does not correspond one-to-one with the ciphertext C, as described as the first characteristic. Therefore, it is difficult to know from the ciphertext C which message m has been encrypted, thus enabling enhancement in cipher strength.

[0100] Still further, the following will describe the security of the cryptosystem of the present invention against the following three types of attacks by an adversary.

[0101] The following will describe the security against Chosen-Plaintext Attack (CPA) as the first attack.

[0102] The chosen-plaintext attack, which is usually a process of generating a ciphertext, is an attack where an adversary constructs many pairs of a given plaintext (message) m and the corresponding ciphertext, and when a new ciphertext is given, the adversary finds out whether or not its plaintext can be recovered by comparing to the generated pairs, thereby obtaining a key to decrypt a ciphertext.

[0103] On the other hand, the cryptosystem of the present invention, as described above, is one-way function and probabilistic encryption, so that the message m does not correspond one-to-one with the ciphertext C. Therefore, it is obvious that the cryptosystem of the present invention is highly secure against this chosen-ciphertext attack.

[0104] The following will consider the security against Non-Adaptive Chosen-Ciphertext Attack (CCA1) as the second attack.

[0105] The non-adaptive chosen-ciphertext attack is an attack where an adversary constructs pairs of a given ciphertext and the corresponding plaintext, and when a target ciphertext is given, the adversary finds out whether or not its plaintext can be recovered by comparing to the generated pairs. Also, the non-adaptive chosen-ciphertext attack is an attack where the adversary is not allowed to send queries after she has sent a query for a target ciphertext that she wants to decrypt.

[0106] On the other hand, the cryptosystem of the present invention, as described above, is one-way function and probabilistic encryption, so that the message m does not correspond one-to-one with the ciphertext C. Therefore, it is obvious that the cryptosystem of the present invention is highly secure against this non-adaptive chosen-ciphertext attack.

[0107] The following will describe the security against Adaptive Chosen-Ciphertext Attack (CCA2) as the third attack.

[0108] The adaptive chosen-ciphertext attack is an attack where an adversary constructs pairs of a given ciphertext and the corresponding plaintext, and an adversary finds out whether or not a plaintext can be recovered by comparing to the generated pairs. Also, the adaptive chosen-ciphertext attack is an attack where the adversary is allowed to send any queries except for a target ciphertext she wants to decrypt at any time, and the adversary performs attacks repeatedly utilizing the previous result.

[0109] In the cryptosystem of the present invention, a target ciphertext is modified to another indistinguishable ciphertext, so that it is hard to say that the cryptosystem of the present invention is completely secure.

[0110] That is, let C=(C₁, C₂) be a target ciphertext, and C₁ and C₂ are given as follows.

C ₁ =m·g ₁ ^(r1)(modn)→C ₁ *=m·g ₁ ^(r1+t1)(modn),

C ₂ =m·g ₂ ^(r2)(modn),→C ₂ *=m·g ₂ ^(r2+t2)(modn)

[0111] Although C*=(C₁*, C₂*) found here is C*≠C, a plaintext m can be obtained by presenting C*. Therefore, the cryptosystem of the present invention cannot be said to be secure against the adaptive chosen-ciphertext attack.

[0112] In this connection, in the cryptosystem of the present embodiment, C=(C₁, C₂, e) is provided so that the cryptosystem of the present embodiment becomes tolerable for the adaptive chosen-ciphertext attack.

[0113] Note that, “e” is e=h(d) (h is one-way hash function) because d=(C₁+C₂)/m (mod n) where C₁=m·g₁ ^(r1) (mod n) and C₂=m·g₂ ^(r2) (mod n).

[0114] This causes the problem of a long ciphertext C. However, since “e” can be 32 bits or 64 bits in length, and “e” changes if only a little change of the message m occurs. Therefore, the cryptosystem of the present embodiment can be tolerable for the adaptive chosen-ciphertext attack, thus obtaining a highly reliable cryptosystem.

[0115] Note that, the cryptosystem of the present invention can provide higher-speed computations by using a database given below:

DB(2,e)=[R _(ij) =g _(i) ^(rij)(modn)] (where 1≦i≦2,1≦j≦e).

C=((C ₁ , C ₂) $\begin{matrix} {C_{1} = {m{\prod\limits_{k = 1}^{\delta 1}\quad {R_{1,{j\quad k}}\quad \left( {{mod}\quad n} \right)}}}} \\ {C_{2} = {m{\prod\limits_{l = 1}^{\delta 2}\quad {R_{1,{j\quad l}}\quad \left( {{mod}\quad n} \right)}}}} \end{matrix}$

[0116] That is, a pre-computed R_(ij) is saved in database with two rows and e columns so that, in encrypting, R_(ij) is selected from this database to generate a random number portion, thus realizing higher-speed encryption process.

[0117] With this arrangement, it is possible to perform encryption process at higher speed, as compared to the conventional RSA encryption scheme with large amount of computations, for example. In addition, decryption can be performed only by calculation of modulo p, so that it is possible to perform decryption at higher speed, as compared to the conventional RSA encryption scheme with large amount of computations.

[0118] Further, the cryptosystem of the present invention can be applied to an extended block cipher as shown in FIG. 3, using an exponential property.

[0119] For the extended block cipher, only a ciphertext element C₁ is encrypted to ciphertext elements C₁₁ and C₁₂ by an ordinary skill. The subsequent ciphertext elements of C₂ are generated by using two random numbers R₁ and R₂ respectively included in the ciphertext elements C₁₁ and C₁₂. Therefore, it is possible to perform higher-speed processing in the conventional common-key cryptosystem and public-key cryptosystem.

[0120] Specifically, only for the first ciphertext element C₁, the ciphertext elements C₁₁ and C₁₂ are generated by an ordinary procedure. For the subsequent ciphertext elements of C₂, if a first bit b_(i)=0, a random number portion R₁ is added, or if a first bit b_(i)=1, a random number portion R₂ is added, thereby generating a ciphertext C. TABLE 1 <Encryption> Exponentiation Multiplication Original 2 2 Extended 2/k 2/k unit (times) <Decryption> Division Multiplication Original 2 2 Extended 4/k 2/k unit (times)

[0121] Table 1 shows how many times computations can be decreased by the extended block cipher shown in FIG. 3.

[0122] In the encryption process, as shown in an upper section of Table 1, the number of times to be computed can be decreased to 2/k times for both exponentiation and multiplication, where k is block length.

[0123] In the decryption processing, as shown in an lower section of Table 1, the number of times to be computed can be decreased to 4/k times for division and to 2/k times for multiplication, where k is block length.

[0124] As described above, the cryptosystem of the present invention is applied to an extended block cipher as an example of application, whereby it is possible to obtain a hybrid cryptosystem capable of high-speed processing with a fewer number of times to be computed.

[0125] Note that, when the simplified cryptosystem according to the Embodiment 2 is applied to this extended block cipher, the number of times to be computed is decreased to once for all types of computations, and hence a very convenient cryptosystem can be obtained.

[0126] Further, the following will describe a case when the cryptosystem of the present invention is applied to digital signature.

[0127] First, let α and β be respective powers of s(p−1) and t(q−1) of a public key {g₁, g₂}, and a signature (u, v) is given by the following equations:

u=αr+βm(modΦ(n)),  (12)

v=g ⁽α^(2r)+β²⁾(modn),  (13)

[0128] where m is a message, m≦Me≦Φ(n), and r is a random number.

[0129] In the Equation (12), u includes three or more unknown variables, so that it is impossible to solve the Equation (12). Moreover, in the Equation (13), v includes g, α, β, and r all of which are secret variables, so that it is impossible to solve the Equation (13).

[0130] A verification equation of a signed message {m, (u, v)} is given by the following equation:

(g ₁ ^(m) ·g ₂)^(u) =v ^(m)(modn).  (14)

[0131] Next, the Equation (14) is verified. (g₁^(m) ⋅ g₂)^(u) = g^((am + β)(a  r + β  m)  )  (mod  n)   = g(a²r + β²)^(m)  (mod  n)   = v^(m)  (mod  n)

[0132] where g^(α) ^(β) =g^(st(p−1)(q−1))=g^(stΦ(n))=1 (mod n).

[0133] From this result, it is verified that the signed message {m, (u, v)} is the message m transmitted from a signer.

[0134] As described above, the cryptosystem of the present invention, which is a new system different from the conventional system, is highly secure, and it is possible to suggest a digital signature capable of high-speed processing.

[0135] Note that, an encrypting device, a decrypting device, a cryptosystem including the same devices, an encrypting method, and a decrypting method of the present invention can be applied to, for example, entity authentication, two-way authentication, electronic election, and electronic bidding.

[0136] A cryptosystem of the present invention can be also expressed without using any equations as follows: a cryptosystem including: an encrypting device which uses two large prime numbers p and q as a private key and generates a ciphertext C=(C₁, C₂) using a public key {g₁, g₂} and a private key n, the private key n being a product of the prime numbers p and q, g₁ including the power of (p−1) and a random number s, and g₂ including the power of (q−1) and a random number t; and a decrypting device which decrypts the ciphertext C using the Fermat's little theorem.

[0137] Note that, the encryption technique of the present invention can be applied to a scrambler or a descrambler of streaming data in a small area inside a house.

[0138] Further, the present invention can be applied to distribution of encryption keys.

[0139] The present invention is not limited to the aforementioned embodiments and is susceptible of various changes within the scope of the accompanying claims. An embodiment obtained by suitable combinations of technical means disclosed in the different embodiments also fall within the technical scope of the present invention.

[0140] As described above, an encrypting device of the present invention includes:

[0141] key generation means for generating two prime numbers p and q of which product is n=pq as a private key and generating as a public key g₁ and g₂ respectively given by the following Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and

[0142] encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C=(C₁, C₂) respectively given by the following Equations (3) and (4) using the public key {g₁, g₂}, a private key n, and random numbers r1 and r2,

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn),  (2)

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn),  (4)

[0143] where gcd{s, q−1}=1 and gcd{t, p−1}=1.

[0144] According to the above arrangement, keys g₁ and g₂ generated as a public key respectively include the power of (p−1) and the power of (q−1), and the ciphertext elements C₁ and C₂ generated using the public key {g₁, g₂} and the private key n also include the power of (p−1) and the power of (q−1), respectively. This makes it possible to easily decrypt the ciphertext elements C₁ and C₂ using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0145] That is, the encrypting device of the present invention causes the key generation means to generate two large prime numbers p and q as a private key and to generate the public key {g₁, g₂} so as to respectively include the power of (p−1) and the power of (q−1) by using the private key {p, q} and the random numbers s and t.

[0146] This makes it possible to directly use the two large prime numbers p and q as a private key and to compute the public key {g₁, g₂} by very simple calculations including the power of (p−1) using a random number.

[0147] Further, the ciphertext generated by the encrypting arithmetic means in the encrypting device of the present invention is given by the equations respectively including the power of (p−1) and the power of (q−1) using the public key {g₁, g₂} and the private key n, so that it is possible to decrypt the ciphertext using the Fermat's little theorem.

[0148] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.Therefore, it is possible to compute two received ciphertexts corresponding to ciphertext elements C₁ and C₂ from the ciphertext elements C₁ and C₂ using the Fermat's little theorem and to decrypt the plaintext m from the two received ciphertexts using the Chinese remainder theorem.

[0149] In the encrypting device of the present invention, as described above, it is possible to generate the public key {g₁, g₂} by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations using the Fermat's little theorem, thus enabling higher-speed processing as compared to the conventional encryption scheme.

[0150] Meanwhile, in terms of security of the encrypting device of the present invention, the public key {g₁, g₂} include random numbers s and t, respectively, so that the public key {g₁, g₂} and the private key n are independent from each other.

[0151] Consequently, according to the encrypting device of the present invention, it is possible to perform encryption and decryption processes at high speed by reducing the amount of computations while maintaining a high security.

[0152] Furthermore, another encrypting device of the present invention includes:

[0153] key generation means for generating prime numbers p and q of which product is n=pq, where p is a private key, and generating as a public key g₁ given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and

[0154] encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C given by the following Equation (3)′ using the public key g₁, a private key n and a random number r,

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

[0155] where when information b is a size of p (bits), 0<m<2^(b−1) and gcd{s, q−1}=1.

[0156] According to the above arrangement, a key g₁ generated as a public key includes the power of (p−1), and the ciphertext C generated using the public key g₁ also include the power of (p−1). This makes it possible to easily decrypt the ciphertext C using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0157] That is, the encrypting device of the present invention causes the key generation means to generate two large prime numbers p and q as a private key and to generate the public key g₁ so as to include the power of (p−1) by using the private key {p, q} and the random numbers s and t.

[0158] As to the relation between the private key p and the size b, by limiting a length of the message m, and using this size b, it is possible to perform computation for the generation of a ciphertext and computation for decryption each by one equation, thus enabling encryption and decryption processes by simpler calculations without using the Chinese remainder theorem.

[0159] Further, as in the above arrangement, the ciphertext generated by the encrypting arithmetic means in the encrypting device of the present invention is given by the equation including the power of (p−1) using the public key g₁ and the private key n, so that it is possible to use the Fermat's little theorem for decryption of the ciphertext.

[0160] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0161] Therefore, it is possible to generate the public key g₁ by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations only using the Fermat's little theorem, thus enabling further higher-speed processing as compared to the conventional encryption scheme.

[0162] Meanwhile, in terms of security of the encrypting device of the present invention, the public key g₁ includes a random number s, so that the public key g₁ and the private key n are independent from each other.

[0163] Consequently, according to the encrypting device of the present invention, it is possible to realize high-speed encryption and decryption processes by reducing the amount of computations in such a manner limitations are imposed on the length of the plaintext m while maintaining a high security.

[0164] It is more preferable that e given by the following equation: e=h(d) (h is one-way hash function), where d=(C₁C₂)/m (mod n), is added to the ciphertext C=(C₁, C₂) so as to be a ciphertext C=(C₁, C₂, e).

[0165] This makes the ciphertext C longer. However, e changes if only a little change of the message m occurs, so that the cryptosystem of the present embodiment can be tolerable for the adaptive chosen-ciphertext attack (CCA2), thus obtaining a highly reliable cryptosystem.

[0166] Since e is computed using a hash function, e can reduce its amount of information to about 32 bits or 64 bits in length.

[0167] It is more preferable that included is a database for saving data resulting from calculation of a random number portion of the ciphertext C.

[0168] With this arrangement, for example, by previously preparing a database with two rows and f columns saving data of a random number portion to be included in the ciphertext C, in encrypting, it is possible to select a corresponding random number from this database to generate a ciphertext, thus realizing higher-speed encryption process.

[0169] Therefore, for example, as compared to the conventional RSA encryption scheme, it is possible to perform encryption process at higher speed by reducing the amount of computations, and to perform decryption only by calculation of modulo p. Therefore, it is possible to realize encryption and decryption at much higher speed, as compared to the conventional cryptosystem of the RSA encryption scheme with a large amount of computations.

[0170] It is more preferable that the encrypting arithmetic means encrypt only a first ciphertext element C into ciphertext elements C₁ and C₂ and generate subsequent ciphertext elements of the ciphertext element C, using the ciphertext element C₁ and two random numbers included in the ciphertext element C₁.

[0171] With this arrangement, only a first ciphertext element C is generated by an ordinary procedure, and for the subsequent ciphertext elements of the ciphertext element C, if a first bit b_(i)=0, a random number portion R₁ is added, or if a first bit b_(i)=1, a random number portion R₂ is added, thereby generating a ciphertext C.

[0172] Further, in a decrypting device of the present invention, included are decrypting arithmetic means for receiving a ciphertext C=(C₁, C₂), which is an encrypted plaintext m, respectively given by the following Equations (3) and (4) using a public key {g₁, g₂}, a private key n, and random numbers r1 and r2, the private key n being n=pq where p and q are prime numbers generated as a private key, g₁ and g₂ being respectively given by the Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n, and

[0173] performing decryption in such a manner so as to generate received ciphertexts a and b respectively given by the following Equations (5) and (6) using the Fermat's little theorem and then derive the plaintext m satisfying the following Equation (7) from the received ciphertexts a and b using the Chinese remainder theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn),  (2)

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn),  (4)

a=C ₁(modp)=m(modp),  (5)

b=C ₂(modq)=m(modq),  (6)

m=aAq+bBp(modn),  (7)

[0174] where gcd{s, q−1}=1, gcd{t, p−1}=1, Aq (mod p)=1, and Bp (mod q)=1.

[0175] According to the above arrangement, keys g₁ and g₂ generated as a public key respectively include the power of (p−1) and the power of (q−1), and the ciphertext elements C₁ and C₂ generated using the public key {g₁, g₂} and the private key n also include the power of (p−1) and the power of (q−1), respectively. This makes it possible to easily decrypt the ciphertext elements C₁ and C₂ using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0176] That is, the ciphertext received by the decrypting device of the present invention is given by the equations respectively including the power of (p−1) and the power of (q−1) using the public key {g₁, g₂} and the private key n, so that it is possible to decrypt the ciphertext using the Fermat's little theorem.

[0177] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”. Therefore, it is possible to compute two received ciphertexts corresponding to ciphertext elements C₁ and C₂ from the ciphertext elements C₁ and C₂ using the Fermat's little theorem and to decrypt the plaintext m from the two received ciphertexts using the Chinese remainder theorem.

[0178] As described above, the decrypting device of the present invention can decrypt a ciphertext easily using the Fermat's little theorem, thus enabling higher-speed decryption, as compared to the conventional decryption scheme.

[0179] Further, in another decrypting device of the present invention, included are decrypting arithmetic means for receiving a ciphertext C of an inputted plaintext m, given by the following Equation (3)′ using a public key g₁ a private key n, and a random number r, the private key n being n=pq where p and q are prime numbers, p being generated as a private key, g₁ being given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n, and

[0180] performing decryption in such a manner so as to derive the plaintext m satisfying the following Equation (8) using the Fermat's little theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

m=C(modp),  (8)

[0181] where gcd{s, q−1}=1.

[0182] According to the above arrangement, the ciphertext C generated using the public key g₁ includes the power of (p−1). This makes it possible to easily decrypt the ciphertext C using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0183] That is, in the decrypting device of the present invention, as to the relation between the private key p and the size b, by limiting a length of the message m, and using this size b, it is possible to perform computation for the generation of a ciphertext and computation for decryption each by one equation, thus enabling decryption by simpler calculations without using the Chinese remainder theorem.

[0184] Further, the ciphertext decrypted by the decrypting device of the present invention is given by the equation including the power of (p−1) using the public key g₁, so that it is possible to use the Fermat's little theorem for decryption of the ciphertext.

[0185] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0186] Therefore, it is possible to generate the public key g₁ and the private key n by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations only using the Fermat's little theorem, thus enabling further higher-speed processing as compared to the conventional decryption scheme.

[0187] Note that, the present invention can be applied to distribution of an encryption key.

[0188] A cryptosystem of the present invention includes:

[0189] an encrypting device including: key generation means for generating two prime numbers p and q of which product is n=pq as a private key and generating as a public key g₁ and g₂ respectively given by the following Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C=(C₁, C₂) respectively given by the following Equations (3) and (4) using the public key {g₁, g₂}, a private key n, and random numbers r1 and r₂; and

[0190] a decrypting device including decrypting arithmetic means for receiving ciphertext elements C₁ and C₂ calculated by the encrypting device and performing decryption in such a manner so as to generate received ciphertexts a and b respectively given by the following Equations (5) and (6) using the Fermat's little theorem and then derive the plaintext m satisfying the following Equation (7) from the received ciphertexts a and b using the Chinese remainder theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn),  (2)

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn)  (4)

a=C ₁(modp)=m(modp),  (5)

b=C ₂(modq)=m(modq),  (6)

m=aAq+bBp(modn),  (7)

[0191] where gcd{s, q−1}=1, gcd{t, p−1}=1, Aq (mod p)=1, and Bp (mod q)=1.

[0192] According to the above arrangement, in the encryptin device, keys g₁ and g₂ generated as a public key respectively include the power of (p−1) and the power of (q−1), and the ciphertext elements C₁ and C₂ generated using the public key {g₁, g₂} and the private key n also include the power of (p−1) and the power of (q−1), respectively. This makes it possible for the decrypting device to easily decrypt the ciphertext elements C₁ and C₂ using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0193] That is, the cryptosystem of the present invention includes an encrypting device and a decrypting device. The encrypting device includes and causes the key generation means to generate two large prime numbers p and q as a private key and to generate the public key {g₁, g₂} so as to respectively include the power of (p−1) and the power of (q−1) by using the private key {p, q} and the random numbers s and t.

[0194] This makes it possible to directly use the two large prime numbers p and q as a private key and to compute the public key {g₁, g₂} by very simple calculations including the power of (p−1) using a random number.

[0195] Further, in the encrypting device of the cryptosystem of the present invention, the encrypting arithmetic means generate the ciphertext C given by the equation including the power of (p−1) and the power of (q−1) using the public key {g₁, g₂}, so that it is possible to decrypt the ciphertext C using the Fermat's little theorem.

[0196] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”. Therefore, it is possible to compute two received ciphertexts corresponding to ciphertext elements C₁ and C₂ from the ciphertext elements C₁ and C₂ using the Fermat's little theorem and to decrypt the plaintext m from the two received ciphertexts using the Chinese remainder theorem.

[0197] As described above, in the cryptosystem of the present invention, it is possible for the encrypting device to generate the public key {g₁, g₂} and the private key n by simple calculations using a simple private key {p, q} and to generate a ciphertext by simple calculations, and it is possible for the decrypting device to easily decrypt the ciphertext using the Fermat's little theorem, thus enabling higher-speed processing as compared to the conventional cryptosystem.

[0198] Meanwhile, in terms of security of the cryptosystem of the present invention, the public key {g₁, g₂} generated by the encrypting device include random numbers s and t, respectively, so that the public key {g₁, g₂} and the private key n are independent from each other.

[0199] Consequently, according to the cryptosystem of the present invention, it is possible to perform encryption and decryption processes at high speed by reducing the amount of computations while maintaining a high security.

[0200] Another cryptosystem of the present invention includes:

[0201] an encrypting device including: key generation means for generating prime numbers p and q of which product is n=pq, where p is a private key, and generating as a public key g₁ given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C given by the following Equation (3)′ using the public key g₁, a private key n, and a random number r; and

[0202] a decrypting device including decrypting arithmetic means for receiving the ciphertext C from the encrypting device and performing decryption in such a manner so as to derive the plaintext m satisfying the following Equation (8) using the Fermat's little theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

m=C(modp),  (8)

[0203] where gcd{s, q−1}=1.

[0204] According to the above arrangement, the ciphertext C generated using the public key g₁ and the private key n by the encrypting device include the power of (p−1). This makes it possible for the decrypting device to easily decrypt the ciphertext C using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0205] That is, the cryptosystem of the present invention causes the key generation means included in the encrypting device to generate two large prime numbers p and q as a private key and to generate the public key g₁ so as to include the power of (p−1) by using the private key {p, q} and the random numbers s and t.

[0206] As to the relation between the private key p and the size b, by limiting a length of the message m, and using this size b, the decrypting device can perform computation for the generation of a ciphertext and computation for decryption each by one equation, thus enabling decryption by simpler calculations without using the Chinese remainder theorem.

[0207] Further, in the cryptosystem of the present invention, the ciphertext decrypted by the decrypting device is given by the equation including the power of (p−1), so that it is possible to use the Fermat's little theorem for decryption of the ciphertext.

[0208] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0209] Therefore, it is possible to generate the public key g₁ and the private key n by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations only using the Fermat's little theorem, thus enabling further higher-speed processing as compared to the conventional decryption scheme.

[0210] Meanwhile, in terms of security of the cryptosystem of the present invention, the public key g₁ includes a random number s, so that the public key g₁ and the private key n are independent from each other.

[0211] Consequently, according to the encrypting device of the present invention, it is possible to realize high-speed processing by performing encryption and decryption processes by simpler calculations in such a manner limitations are imposed on the length of the plaintext m while maintaining a high security.

[0212] An encrypting method of the present invention includes the steps of:

[0213] generating two prime numbers p and q of which product is n=pq as a private key and generating as a public key g₁ and g₂ respectively given by the following Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and

[0214] in response to receipt of a plaintext m, generating ciphertext elements C₁ and C₂ respectively given by the following Equations (3) and (4) using the public key {g₁, g₂}, a private key n, and random numbers r1 and r2,

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn),  (2)

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn),  (4)

[0215] where gcd{s, q−1}=1 and gcd{t, p−1}=1.

[0216] According to the above encrypting method, keys g₁ and g₂ generated as a public key respectively include the power of (p−1) and the power of (q−1), and the ciphertext elements C₁ and C₂ generated using the public key {g₁, g₂} and the private key n also include the power of (p−1) and the power of (q−1), respectively. This makes it possible to easily decrypt the ciphertext elements C₁ and C₂ using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0217] That is, the encrypting method of the present invention generates two large prime numbers p and q as a private key and generates the public key {g₁, g₂} so as to respectively include the power of (p−1) and the power of (q−1) by using the private key {p, q} and the random numbers s and t.

[0218] This makes it possible to directly use the two large prime numbers p and q as a private key and to compute the public key {g₁, g₂} by very simple calculations using a random number.

[0219] Further, the ciphertext generated by the encrypting method of the present invention is given by the equation including the power of (p−1) and the power of (q−1) using the public key {g₁, g₂} and the private key n, so that it is possible to decrypt the ciphertext using the Fermat's little theorem.

[0220] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.Therefore, it is possible to compute two received ciphertexts corresponding to ciphertext elements C₁ and C₂ from the ciphertext elements C₁ and C₂ using the Fermat's little theorem and to decrypt the plaintext m from the two received ciphertexts using the Chinese remainder theorem.

[0221] As described above, in the encrypting method of the present invention, it is possible to generate the public key {g₁, g₂} and the private key n by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations using the Fermat's little theorem, thus enabling higher-speed processing as compared to the conventional encryption scheme.

[0222] Meanwhile, in terms of security of the encrypting method of the present invention, the public key {g₁, g₂} include random numbers s and t, respectively, so that the public key {g₁, g₂} and the private key n are independent from each other.

[0223] Consequently, according to the encrypting method of the present invention, it is possible to perform encryption and decryption processes at high speed by reducing the amount of computations while maintaining a high security.

[0224] Another encrypting method of the present invention includes the steps of:

[0225] generating prime numbers p and q of which product is n=pq, where p is a private key, and generating as a public key g₁ given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and

[0226] in response to receipt of a plaintext m, generating a ciphertext C given by the following Equation (3)′ using the public key g₁, a private key n, and a random number r,

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

[0227] where when information b is a size of p (bits), 0<m<2^(b−1) and gcd{s, q−1}=1.

[0228] According to the above encrypting method, a key g₁ generated as a public key includes the power of (p−1), and the ciphertext C generated using the public key g₁ and the private key n also includes the power of (p−1). This makes it possible to easily decrypt the ciphertext C using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0229] That is, the encrypting method of the present invention generates two large prime numbers p and q as a private key and generates the public key g₁ so as to include the power of (p−1) by using the private key {p, q} and the random numbers s and t.

[0230] As to the relation between the private key p and the size b, by limiting a length of the message m, and using this size b, it is possible to perform computation for the generation of a ciphertext and computation for decryption each by one equation, thus enabling encryption and decryption processes by simpler calculations without using the Chinese remainder theorem.

[0231] Further, as in the above encrypting method, the ciphertext generated by the encrypting method of the present invention is given by the equation including the power of (p−1) using the public key g₁, so that it is possible to use the Fermat's little theorem for decryption of the ciphertext.

[0232] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0233] Therefore, it is possible to generate the public key g₁ by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations only using the Fermat's little theorem, thus enabling higher-speed processing as compared to the conventional encrypting method.

[0234] Meanwhile, in terms of security of the encrypting method of the present invention, the public key g₁ includes a random number s, so that the public key g₁ and the private key n are independent from each other.

[0235] Consequently, according to the encrypting method of the present invention, it is possible to realize high-speed encryption and decryption processes by reducing the amount of computations while maintaining a high security.

[0236] A decrypting method of the present invention includes the steps of:

[0237] receiving a ciphertext C=(C₁, C₂), which is an encrypted plaintext m, respectively given by the following Equations (3) and (4) using a public key {g₁, g₂}, a private key n, and random numbers r1 and r2, the private key n being n=pq where p and q are prime numbers generated as a private key, g₁ and g₂ being respectively given by the Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and

[0238] performing decryption in such a manner so as to generate received ciphertexts a and b respectively given by the following Equations (5) and (6) using the Fermat's little theorem and then derive the plaintext m satisfying the following Equation (7) from the received ciphertexts a and b using the Chinese remainder theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

g ₂ =g ^(t(q−1))(modn),  (2)

C ₁ =m·g ₁ ^(r1)(modn),  (3)

C ₂ =m·g ₂ ^(r2)(modn),  (4)

a=C ₁(modp)=m(modp),  (5)

b=C ₂(modq)=m(modq),  (6)

m=aAq+bBp(modn),  (7)

[0239] where gcd{s, q−1}=1, gcd{t, p−1}=1, Aq (mod p)=1, and Bp (mod q)=1.

[0240] According to the above decrypting method, keys g₁ and g₂ generated as a public key respectively include the power of (p−1) and the power of (q−1), and the ciphertext elements C₁ and C₂ generated using the public key {g₁, g₂} and the private key n also include the power of (p−1) and the power of (q−1), respectively. This makes it possible to easily decrypt the ciphertext elements C₁ and C₂ using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0241] That is, in the decrypting method of the present invention, the ciphertext is given by the equations respectively including the power of (p−1) and the power of (q−1) using the public key {g₁, g₂} and the private key n, so that it is possible to decrypt the ciphertext using the Fermat's little theorem.

[0242] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0243] Therefore, it is possible to compute two received ciphertexts corresponding to ciphertext elements C₁ and C₂ from the ciphertext elements C₁ and C₂ using the Fermat's little theorem and to decrypt the plaintext m from the two received ciphertexts using the Chinese remainder theorem.

[0244] As described above, since the decrypting device of the present invention can easily decrypt the ciphertext using the Fermat's little theorem, so that it is possible to perform high-speed processing, as compared to the conventional decryption scheme.

[0245] Another decrypting method of the present invention includes the steps of:

[0246] receiving a ciphertext C of an inputted plaintext m, given by the following Equation (3)′ using a public key g₁, a private key n, and a random number r, the private key n being n=pq where p and q are prime numbers, p being generated as a private key, g₁ being given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and

[0247] performing decryption in such a manner so as to derive the plaintext m satisfying the following Equation (8) using the Fermat's little theorem,

g ₁ =g ^(s(p−1))(modn),  (1)

C=m·g ₁ ^(r)(modn),  (3)′

m=C(modp),  (8)

[0248] where gcd{s, q−1}=1.

[0249] According to the above decrypting method, the ciphertext C generated using the public key g₁ and the private key n includes the power of (p−1). This makes it possible to easily decrypt the ciphertext C using the Fermat's little theorem (a^(p−1)≡1 (mod p)).

[0250] That is, in the decrypting method of the present invention, as to the relation between the private key p and the size b, by limiting a length of the message m, and using this size b, it is possible to perform computation for the generation of the ciphertext C and computation for decryption each by one equation, thus enabling decryption by simpler calculations without using the Chinese remainder theorem.

[0251] The ciphertext decrypted by the decrypting method of the present invention is given by the equation including the power of (p−1) using the public key g₁ and the private key n, so that it is possible to use the Fermat's little theorem for decryption of the ciphertext.

[0252] The Fermat's little theorem is given by a^(p−1)≡1 (mod p), and a number including the power of (p−1) modulo p is calculated, thereby reducing its remainder to “1”.

[0253] Therefore, it is possible to generate the public key g₁ by simple calculations using a simple private key {p, q}, to generate a ciphertext by simple calculations, and to decrypt the ciphertext by simple calculations only using the Fermat's little theorem, thus enabling further higher-speed processing as compared to the conventional decryption scheme.

[0254] The invention being thus described, it will be obvious that the same way may be varied in many ways. Such variations are not to be regarded as a departure from the spirit and scope of the invention, and all such modifications as would be obvious to one skilled in the art are intended to be included within the scope of the following claims. 

What is claimed is:
 1. An encrypting device comprising: key generation means for generating two prime numbers p and q of which product is n=pq as a private key and generating as a public key g₁ and g₂ respectively given by the following Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C=(C₁, C₂) respectively given by the following Equations (3) and (4) using the public key {g₁, g₂}, a private key n, and random numbers r1 and r2, g ₁ =g ^(s(p−1))(modn),  (1) g ₂ =g ^(t(q−1))(modn),  (2) C ₁ =m·g ₁ ^(r1)(modn),  (3) C ₂ =m·g ₂ ^(r2)(modn),  (4) where gcd{s, q−1}=1 and gcd{t, p−1}=1.
 2. An encrypting device comprising: key generation means for generating prime numbers p and q of which product is n=pq, where p is a private key, and generating as a public key g₁ given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C given by the following Equation (3)′ using the public key g₁, a private key n, and a random number r, g ₁ =g ^(s(p−1))(modn),  (1) C=m·g ₁ ^(r)(modn),  (3)′ where when information b is a size of p (bits), 0<m<2^(b−1) and gcd{s, q−1}=1.
 3. The encrypting device according to claim 1, wherein: e given by the following equation: e=h(d) (h is one-way hash function), where d=(C₁+C₂)/m (mod n), is added to the ciphertext C=(C₁, C₂) so as to be a ciphertext C=(C₁, C₂, e).
 4. The encrypting device according to claim 1, further comprising: a database for saving data resulting from calculation of a random number portion of the ciphertext C.
 5. The encrypting device according to claim 1, wherein: the encrypting arithmetic means encrypt only a plaintext element m₁, which is a first element in the plaintext m, to the ciphertext element C₁=(C₁₁, C₁₂), and ciphertext elements following the ciphertext element C₁ are generated using a received plaintext m_(i), bit information of the plaintext m₁, and two random numbers R₁ or R₂ which are contained in the ciphertext C₁.
 6. A decrypting device wherein included are decrypting arithmetic means for receiving a ciphertext C=(C₁, C₂), which is an encrypted plaintext m, respectively given by the following Equations (3) and (4) using a public key {g₁, g₂}, a private key n, and random numbers r1 and r2, the private key n being n=pq where p and q are prime numbers generated as a private key, g₁ and g₂ being respectively given by the Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n, and performing decryption in such a manner so as to generate received ciphertexts a and b respectively given by the following Equations (5) and (6) using the Fermat's little theorem and then derive the plaintext m satisfying the following Equation (7) from the received ciphertexts a and b using the Chinese remainder theorem, g ₁ =g ^(s(p−1))(modn),  (1) g ₂ =g ^(t(q−1))(modn),  (2) C ₁ =m·g ₁ ^(r1)(modn),  (3) C ₂ =m·g ₂ ^(r2)(modn),  (4) a=C ₁(modp)=m(modp),  (5) b=C ₂(modq)=m(modq),  (6) m=aAq+bBp(modn),  (7) where gcd{s, q−1}=1, gcd{t, p−1}=1, Aq (mod p)=1, and Bp (mod q)=1.
 7. A decrypting device wherein included are decrypting arithmetic means for receiving a ciphertext C of an inputted plaintext m, given by the following Equation (3)′ using a public key g₁, a private key n, and a random number r, the private key n being n=pq where p and q are prime numbers, p being generated as a private key, g₁ being given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n, and performing decryption in such a manner so as to derive the plaintext m satisfying the following Equation (8) using the Fermat's little theorem, g ₁ =g ^(s(p−1))(modn),  (1) C=m·g ₁ ^(r)(modn),  (3)′m=C(modp),  (8) where gcd{s, q−1}=1.
 8. A cryptosystem comprising: an encrypting device including: key generation means for generating two prime numbers p and q of which product is n=pq as a private key and generating as a public key g₁ and g₂ respectively given by the following Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C=(C₁, C₂) respectively given by the following Equations (3) and (4) using the public key {g₁, g₂}, a private key n, and random numbers r1 and r2; and a decrypting device including decrypting arithmetic means for receiving ciphertext elements C₁ and C₂ calculated by the encrypting device and performing decryption in such a manner so as to generate received ciphertexts a and b respectively given by the following Equations (5) and (6) using the Fermat's little theorem and then derive the plaintext m satisfying the following Equation (7) from the received ciphertexts a and b using the Chinese remainder theorem, g ₁ =g ^(s(p−1))(modn),  (1) g ₂ =g ^(t(q−1))(modn),  (2) C ₁ =m·g ₁ ^(r1)(modn),  (3) C ₂ =m·g ₂ ^(r2)(modn),  (4) a=C ₁(modp)=m(modp),  (5) b=C ₂(modq)=m(modq),  (6) m=aAq+bBp(modn),  (7) where gcd{s, q−1}=1, gcd{t, p−1}=1, Aq (mod p)=1, and Bp (mod q)=1.
 9. A cryptosystem comprising: an encrypting device including: key generation means for generating prime numbers p and q of which product is n=pq, where p is a private key, and generating as a public key g₁ given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and encrypting arithmetic means for, in response to receipt of a plaintext m, generating a ciphertext C given by the following Equation (3)′ using the public key g₁, a private key n, and a random number r; and a decrypting device including decrypting arithmetic means for receiving the ciphertext C from the encrypting device and performing decryption in such a manner so as to derive the plaintext m satisfying the following Equation (8) using the Fermat's little theorem, g ₁ =g ^(s(p−1))(modn),  (1) C=m·g ₁ ^(r)(modn),  (3)′m=C(modp),  (8) where gcd{s, q−1}=1.
 10. An encrypting method comprising the steps of: generating two prime numbers p and q of which product is n=pq as a private key and generating as a public key g₁ and g₂ respectively given by the following Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and in response to receipt of a plaintext m, generating ciphertext elements C₁ and C₂ respectively given by the following Equations (3) and (4) using the public key {g₁, g₂}, a private key n, and random numbers r1 and r2, g ₁ =g ^(s(p−1))(modn),  (1) g ₂ =g ^(t(q−1))(modn),  (2) C ₁ =m·g ₁ ^(r1)(modn),  (3) C ₂ =m·g ₂ ^(r2)(modn),  (4) where gcd{s, q−1}=1 and gcd{t, p−1}=1.
 11. An encrypting method comprising the steps of: generating prime numbers p and q of which product is n=pq, where p is a private key, and generating as a public key g₁ given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and in response to receipt of a plaintext m, generating a ciphertext C given by the following Equation (3)′ using the public key g₁, a private key n, and a random number r, g ₁ =g ^(s(p−1))(modn),  (1) C=m·g ₁ ^(r)(modn),  (3)′ where when information b is a size of p (bits), 0<m<2^(b−1) and gcd{s, q−1}=1.
 12. A decrypting method comprising the steps of: receiving a ciphertext C=(C₁, C₂), which is an encrypted plaintext m, respectively given by the following Equations (3) and (4) using a public key {g₁, g₂}, a private key n, and random numbers r1 and r2, the private key n being n=pq where p and q are prime numbers generated as a private key, g₁ and g₂ being respectively given by the Equations (1) and (2) using two random numbers s and t and a maximal generator g in a multiplicative group of integers modulo n; and performing decryption in such a manner so as to generate received ciphertexts a and b respectively given by the following Equations (5) and (6) using the Fermat's little theorem and then derive the plaintext m satisfying the following Equation (7) from the received ciphertexts a and b using the Chinese remainder theorem, g ₁ =g ^(s(p−1))(modn),  (1) g ₂ =g ^(t(q−1))(modn),  (2) C ₁ =m·g ₁ ^(r1)(modn),  (3) C ₂ =m·g ₂ ^(r2)(modn),  (4) a=C ₁(modp)=m(modp),  (5) b=C ₂(modq)=m(modq),  (6) m=aAq+bBp(modn),  (7) where gcd{s, q−1}=1, gcd{t, p−1}=1, Aq (mod p)=1, and Bp (mod q)=1.
 13. A decrypting method comprising the steps of: receiving a ciphertext C of an inputted plaintext m, given by the following Equation (3)′ using a public key g₁, a private key n, and a random number r, the private key n being n=pq where p and q are prime numbers, p being generated as a private key, g₁ being given by the following Equation (1) using a random number s and a maximal generator g in a multiplicative group of integers modulo n; and performing decryption in such a manner so as to derive the plaintext m satisfying the following Equation (8) using the Fermat's little theorem, g ₁ =g ^(s(p−1))(modn),  (1) C=m·g ₁ ^(r)(modn),  (3)′m=C(modp),  (8) where gcd{s, q−1}=1. 